Elixir-Tesla Tesla Middleware Decompression Bomb Vulnerability Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in the Elixir Tesla library, specifically in versions 0.6.0 prior to 1.18.3. The issue arises in the middleware components 'Tesla.Middleware.DecompressResponse' and 'Tesla.Middleware.Compression', which, when included in a Tesla middleware pipeline, decompress HTTP response bodies eagerly and without any size limit. This flaw allows an attacker to send a small, compressed payload that, once decompressed, expands into a massive amount of memory, effectively crashing or freezing the application. The vulnerability exploits the absence of a size cap on decompressed data, particularly with gzip encoding, where a response can be inflated by approximately 1000 times per compression layer, leading to exponential data amplification and memory exhaustion.

Impact

Exploitation of this vulnerability causes the application to run out of memory, leading to a crash or freeze of the calling process.

Reproduction

To reproduce this vulnerability, include 'Tesla.Middleware.DecompressResponse' or 'Tesla.Middleware.Compression' in the Tesla middleware pipeline of an application. Then, send an HTTP response with 'content-encoding' headers that stack multiple gzip encodings. The middleware will decompress the response without size limitations, causing a small payload to inflate into gigabytes of data in the application's memory.

Remediation

The vulnerability has been patched in Tesla version 1.18.3. Users should update to this version. For applications that require the 'Tesla.Middleware.Compression' middleware, it is now mandatory to set the ':max_body_size' option to define a maximum size for decompressed response bodies.